How to Prevent and Remove the Trojan-Downloader.Win32.Delf
|
| # | Filename(s) | File Size |
| 1 | %Programs%\Debugs\lsass.exe | 1,056,256 bytes |
| 2 | %Programs%\Debugs\lsass00.exe | 759,296 bytes |
| 3 | %Programs%\Debugs\on | 0 bytes |
| 4 | %Programs%\Startup\.LNK | 977 bytes |
| 5 |
%System%\0.dll
|
1,759 bytes |
| 6 | [file and pathname of the sample #1] | 137,728 bytes |
- Notes:
- %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- The following directory was created:
- %Programs%\Debugs
b. Memory Modifications
-
There were new processes created in the system:
| Process Name | Process Filename |
| lsass.exe | %Programs%\Debugs\lsass.exe |
c. Registry Modifications
- The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Description
- HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft
- HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc
- HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
- The newly created Registry Value is:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
- NetworkAddress = E9 14 AA 00 20 5E
- NetworkAddressLocal = 0x00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
d. Other details
-
There were registered attempts to establish connection with the remote hosts. The connection details are:
| Remote Host | Port Number |
| 109.203.96.8 | 51433 |
| 67.210.102.9 | 80 |
| 72.53.180.71 | 80 |
-
The data identified by the following URLs was then requested from the remote web server:
- http://msnseguro.com/06/ALL.scr
- http://www.shelbyville.k12.tx.us/photos/Thumbs.gif
2. How-to's
a. Please update the policy basic knowledge of Sax2 in time, Once sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-Downloader.Win32.Delf Manually?
Step 1 : Use Windows Task Manager to Remove Trojan-Downloader.Win32.Delf Processes
lsass.exe
Step 2 : Remove the registry entries hidden by Trojan-Downloader.Win32.Delf, once you find some programs on your PC run abnormally, you should immediately check the following entries in the Registry, and directly delete the spyware-related registry entries.
HKEY_LOCAL_MACHINE\SOFTWARE\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData
[HKEY_LOCAL_MACHINE\SOFTWARE\Description\Microsoft\Rpc\UuidTemporaryData]
NetworkAddress = E9 14 AA 00 20 5E
NetworkAddressLocal = 0x00000001
Step 3 : Clean up IE Temporary file folder where the
original carrier of PC threats is possibly stored. Meanwhile,
the malicious files generated by Trojan-Downloader.Win32.Delf.bho are
possibly located in the following Location:
%Programs%\Debugs\lsass.exe
%Programs%\Debugs\lsass00.exe
%Programs%\Debugs\on
%Programs%\Startup\.LNK
%System%\0.dll
[file and pathname of the sample #1]
c. How to Remove these trojans Instantly?
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
3. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm